Free Assessment →

CMMC Landing

CMMC 2.0 — DoD Contract Compliance Now Required href="https://www.acq.osd.mil/cmmc/" target="_blank" rel="noopener" class="agt-cm-alert-link" > View official DoD page →

Your DoD Contract Is at Risk
If You're Not CMMC Certified.

The Department of Defense now requires Cybersecurity Maturity Model Certification for every company in the defense supply chain. No certification means no contract — regardless of how long you've been a trusted subcontractor.

James Aptt
Built by someone who's been inside these frameworks. Our founder operated as an ISSO within DoD and NIST frameworks — the same standards CMMC is built on. We don't just know the requirements. We've lived them from the government side.
Start My CMMC Assessment — Free → See Which Level Applies to Me
$3.5T
annual DoD contract value at stake across the supply chain
110
security controls required for Level 2 — the most common requirement
300K+
defense contractors required to achieve CMMC certification
Understanding CMMC 2.0

Three Levels. One Question —
Which One Applies to You?

CMMC 2.0 replaced the original five-level model with a streamlined three-level framework. Your required level depends on the type of federal information your contract involves.

Level 1
Foundational
17 Security Practices
FAR 52.204-21

Designed for companies that handle Federal Contract Information (FCI) — information provided by or generated for the government under a contract but not intended for public release.

Who this applies to:
  • Companies with basic federal supply contracts
  • Manufacturers of non-sensitive components
  • Service providers with minimal federal data access
Assessment Type
Annual Self-Assessment
Key Control Areas:
Access Control Identification & Authentication Media Protection Physical Protection System & Comms Protection System & Info Integrity
Most Common Requirement
Level 2
Advanced
110 Security Practices
NIST SP 800-171

Required for companies handling Controlled Unclassified Information (CUI) — sensitive government data that requires safeguarding but isn't classified. This is the level most defense subcontractors need.

Who this applies to:
  • Defense supply chain subcontractors
  • Engineering and manufacturing firms
  • IT and software contractors with CUI access
  • Logistics and support service providers
Assessment Type
Third-Party Assessment (C3PAO) — Every 3 Years
Key Control Domains (14 total):
Access Control Audit & Accountability Awareness & Training Config Management Identification & Auth Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System & Comms Protection System & Info Integrity
Level 3
Expert
110+ Security Practices
NIST SP 800-171 + NIST SP 800-172

The highest level — designed for companies on the most critical and sensitive defense programs. Builds on all Level 2 controls and adds enhanced practices from NIST SP 800-172 targeting advanced persistent threats (APTs) from nation-state actors.

Who this applies to:
  • Contractors on critical weapons programs
  • Companies handling the most sensitive CUI
  • Prime contractors on high-priority DoD programs
Assessment Type
Government-Led Assessment (DCSA)
Additional 800-172 Focus Areas:
Penetration Testing Threat Hunting Advanced Monitoring Deception Technologies Enhanced Config Management APT Defense Controls
💡
Not sure which level you need? Check your contract for the phrases "Federal Contract Information," "Controlled Unclassified Information," or "CUI." If you see any of those — or if your prime contractor has mentioned CMMC — you almost certainly need Level 2. Book a free discovery call and we'll confirm your requirement in 15 minutes. Book now →
Self Assessment

Are You Ready for CMMC Level 2?
Check These 14 Control Domains.

CMMC Level 2 requires 110 controls across 14 domains. This checklist covers the most commonly failed areas during third-party assessments. Be honest — every gap is a finding that could cost you your contract.

Access & Identity Controls
Access Control (AC) Access to CUI is limited to authorized users, processes, and devices based on least privilege.
Identification & Authentication (IA) Multi-factor authentication is required for all users accessing organizational systems with CUI.
Personnel Security (PS) Personnel are screened before being granted access to organizational systems containing CUI.
System & Data Controls
Configuration Management (CM) Baseline configurations are established and maintained for all systems processing CUI.
Media Protection (MP) CUI on digital and physical media is protected, controlled, sanitized, and disposed of securely.
System & Comms Protection (SC) CUI is encrypted in transit and at rest. Communications at system boundaries are monitored and controlled.
Monitoring & Response
Audit & Accountability (AU) System audit logs are created, protected, and reviewed regularly for all systems handling CUI.
Incident Response (IR) A written incident response plan exists, is tested, and includes DoD reporting requirements.
System & Info Integrity (SI) Systems are protected against malicious code and monitored for security alerts and advisories.
Documentation & Training
System Security Plan (SSP) A complete SSP documenting all 110 controls and system boundaries exists and is current.
Awareness & Training (AT) All personnel handling CUI have received security awareness training and role-based security training.
Risk Assessment (RA) Risk assessments are conducted periodically and used to inform security decisions.
Security Assessment (CA) Security controls are periodically assessed and a Plan of Action & Milestones (POA&M) is maintained.
0
Compliant
0
Gap Found
0
Needs Review
Answer the questions above to see your CMMC readiness score.
Pricing

Two Ways to Get CMMC Ready.
Both Start With a Free Discovery Call.

Not sure which option fits your situation? Book the free call and we'll confirm your required level and recommend the right path forward.

CMMC Readiness Assessment
$3,500 – $5,000
one-time flat fee

A complete gap analysis against your required CMMC level — with a written report, System Security Plan (SSP) foundation, and full remediation roadmap. Ideal before committing to ongoing services or ahead of a C3PAO assessment.

  • Full gap analysis vs required CMMC level
  • System Security Plan (SSP) foundation
  • Written remediation roadmap
  • Prioritized findings by contract risk
  • Plan of Action & Milestones (POA&M)
  • Executive summary for leadership
  • NIST SP 800-171 scoring baseline
Book Assessment →

Free discovery call included

Full Compliance Management
Enterprise Plan
$1,999
per month — no long-term contract

Ongoing CMMC compliance management from a former DoD ISSO — keeping your certification current, your controls implemented, and your contracts protected.

  • Everything in the readiness assessment
  • Full CMMC 2.0 control implementation
  • Ongoing compliance monitoring
  • Virtual CISO (vCISO) advisory
  • Monthly penetration testing
  • Quarterly C3PAO readiness reviews
  • SSP maintenance & updates
  • POA&M tracking & remediation
  • Staff security awareness training
  • Incident response plan & testing
  • 24/7 threat monitoring
  • Dedicated account manager
Get Started →

Free readiness assessment included

Heads up on timing. CMMC Level 2 C3PAO assessments are in high demand and assessors are booking months out. The earlier you start remediation, the better positioned you'll be. Don't wait for a contract renewal to start this process.

Start Now →
Don't Lose Your Contract

Your Competitors Are Already
Getting CMMC Certified.

Prime contractors are already requiring CMMC certification from their supply chain before contract renewals. The window to get ahead of this is closing. A free discovery call takes 30 minutes and tells you exactly what level you need, what gaps you have, and how long remediation will take.

Start My Free CMMC Assessment → Call (401) 594-6290
Free discovery call
Former DoD ISSO experience
RI, CT & MA coverage
No long-term commitment
Results within 48 hours
James Aptt
James Aptt — Former DoD ISSO

I operated within these exact frameworks on the government side. I know what assessors look for, what findings are most common, and how to get your organization ready — efficiently and without surprises.

Privacy Policy - Terms and Conditions - Cookies Policy

Update cookies preferences